From the course: Cloud Security Operations by Pearson

Hardware-specific security configuration

From the course: Cloud Security Operations by Pearson

Start my 1-month free trial Buy for my team

Hardware-specific security configuration

In this lesson, we're going to explore some hardware-specific security issues for the CCSP exam, starting with the HSM, the Hardware Security Module. This is a tamper-proof, hardened specialty appliance that's often used in a hypervisor environment and a cluster to offer multi-tenancy cloud HSM solutions. HSMs perform crypto processing. They perform TLS acceleration on behalf of web services. They also protect cryptographic keys, certificates, and other cryptographic functions. HSMs facilitate partitioned administration and security zones for your zero-trust environment. They can help you in applying corporate keys and secrets policies. In fact, they support secrets managers and key management services at cloud service providers. They can also be used in place of crypto libraries and other accelerators. There's also boot integrity on the exam. Remember that UEFI, Unified Extensible Firmware Interface, replaced the traditional legacy Basic Input Output Service, or BIOS. So, boot integrity needs low-level software booting for the device, testing of the post process, and initiating the system files in a secure fashion. UEFI can protect the device at a lower level with passwords. It can restrict users from booting from devices such as USB fobs, and prevent the changing of UEFI settings without permissions, and restrict booting from other operating systems or installing over the current operating system. Many data centers implement Trusted Execution Environments, or TEE. These are the foundations of Trusted Computing, or TC. They use self-encrypting drives, SED, especially on endpoints. They'll use HSM devices, peripherals, maybe HSM-SD cards, USB-attached crypto-processors as well, and, of course, TPMs, Trusted Platform Modules, which are security modules embedded into the system, at the motherboard, or the system board. A TPM is a tamper-resistant computer chip, or microcontroller, placed on the device or built into PCs, tablets, and mobile phones. It's going to hold identity data, passwords, secrets, certificates such as X509v3 for EAP-TLS and encryption keys. In Google Zero Trust, all employee devices have TPM for their EAP-TLS implementation using X509v3 certificates. TPM offers integrity to make sure the system hasn't been altered at a low level. Authentication, ensuring the system is in fact the correct system. Privacy, ensuring the system is protected from unauthorized prying eyes. And, non-repudiation, digital signatures and digital signing.

Contents